AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application:

Lucas Cunha 26 Reputation points
2020-06-24T21:03:50.813+00:00

We have a customer of our application using SAML with Microsoft and everything is looking good. However, two specific users are reporting not being able to login and reporting the error mentioned on the title. Other users are login in without any problem, just those two users reporting this problem.

Here is a screenshot of the problem:
10607-screen-shot-2020-06-24-at-173238.png

Can you guys help me understand what might be happening? Other accounts and other users on the same account are able to login without any issues.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,381 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 33,706 Reputation points Microsoft Employee
    2020-06-25T23:15:10.447+00:00

    Hi @Lucas Cunha ,

    Your case may be different, but this often happens for one of two reasons.

    • Azure AD was unable to identify the SAML request within the URL parameters in the HTTP request. This can happen if the application is not using HTTP redirect binding when sending the SAML request to Azure AD, and you can resolve this by sending the SAML request encoded into the location header using HTTP redirect binding
    • If you're getting the reply URL error for this situation and only for certain users, this can happen if the sign-in request does not contain an explicit reply URL. In this case Azure AD will select any of the configured reply URLs for that application. Even if the application has an explicit reply URL configured, the user may be to redirected https://127.0.0.1:444.
    • The troubleshooting guide says that deleting any unused reply URLs will help resolve this error.
    • Delete the unused reply URLs configured for the application.
    • Open the Azure portal and sign in as a Global Administrator or Co-admin.
    • Open the Azure Active Directory Extension by selecting All services at the top of the main left-hand navigation menu.
    • Type “Azure Active Directory" in the filter search box and select the Azure Active Directory item.
    • Select Enterprise Applications from the Azure Active Directory left-hand navigation menu.
    • Select All Applications to view a list of all your applications.
    • If you do not see the application you want show up here, use the Filter control at the top of the All Applications List and set the Show option to All Applications.
    • Select the application you want to configure for single sign-on.
    • Once the application loads, open Basic SAML configuration. In the Reply URL (Assertion Consumer Service URL), delete unused or default Reply URLs created by the system. For example, https://127.0.0.1:444/applications/default.aspx.
    0 comments
  2. Yackeline España Arevalo (DCA TECHNOLOGY LTDA) 1 Reputation point
    2021-10-01T21:37:20.277+00:00

    I have the same problem, but it happens when my url is balanced through the azure gateway, I have not been able to solve it.

    I see that the gateway sends the url like this
    https://serverbalanced.red.miempresa.com.co

    But my servers have the following url
    https://server1.red.miempresa.com.co
    https://server2.red.miempresa.com.co

    server
    balanced
    The authentication process is done, but in the response I get the error of not finding the url for the entityid: http://serverbalanced.red.miempresa.com.co

    0 comments